CIS 4360 Secure Computer Systems
System Boot
Professor Qiang Zeng Spring 2017 Previous Class
• What a TPM is: – Hardware protected keys • Endorsement key: for signing (PCR values) • Storage root key: for encrypting storage keys – Crypto-processor • RSA • HMAC • SHA-1 (SHA-2 in TPM 2.0) – PCR • What the TPM can do – Attestation – Sealed storage
CIS 4360 – Secure Computer Systems 2 TPM-Based Attestation Example
[Gasser et al. ‘89], [Arbaugh et al. ‘97], [Sailer et al. ‘04], [Marchesini et al. ‘04]
Module Module Module App Module App App
BIOS Bootloader OS
PCRs
TPM KPriv
3 Establishing Trust via a TPM [Gasser et al. ‘89], [Arbaugh et al. ‘97], [Sailer et al. ‘04], [Marchesini et al. ‘04] Guarantees randomModule # Accurate! Module freshness
Module A Module Module A Module p App Module p A Module App p p p App K OS Pu p BIOS Bootloader Guarantees BIOS Bootloader b OS
Module A real TPM Module A Module p Module p A p p p OS p BIOS Bootloader Sign ( random # ) Kpriv
PCRs Guarantees actual TPM logs TPM KPriv
4 BitLocker
• At system boot (before OS boot) – Optional: BIOS requests PIN or USB key from user – TPM unseals VMK, if PCR and PIN are correct • PIN is to derive the keyAuth (recall TPM_SEAL) • TPM defends against dictionary attack on PIN
• Many options for VMK recovery in certain cases – Disk, USB, paper (all encrypted with password) – Recovery needed after legitimate system change: • Moving disk to a new computer • Replacing system board containing TPM • Clearing TPM
CIS 4360 – Secure Computer Systems 5 Previous Class
What is Measured Boot?
At each stage of system boo�ng, the code and configura�on for the next stage is scanned and the hash value is recorded in TPM (by extending a specified PCR)
CIS 4360 – Secure Computer Systems 6 Previous Class
What a�acks can you do if you have extracted the private key from a TPM
A so�ware module can claim itself as a TPM. It can (1) Sign arbitrary PCR values it wants; and (2) Steal the storage keys originally sealed by the hacked TPM
CIS 4360 – Secure Computer Systems 7 Previous Class
What knowledge should an IT service have for a�esta�on over a laptop of the company?
Remote a�esta�on is great as it stops poten�ally malicious computers from connec�ng to the company network. But it also requires extra work from the IT department, as they have to first know what PCR values are good; in other words, they have to know the set of legi�mate firmware, bootloader, OS and applica�ons.
CIS 4360 – Secure Computer Systems 8 Outline
• How does a system boot? – BIOS-MBR (generation 1) – UEFI-GPT (generation 2)
CIS 4360 – Secure Computer Systems 9 Have you encountered such errors?
• “Operating System not found” • “DISK BOOT FAILURE – INSERT SYSTEM DISK AND PRESS ENTER” • Your installed operating system is missing
CIS 4360 – Secure Computer Systems 10 Terms
• BIOS and UEFI are both firmware (for h/w initialization and loading boot loaders) – UEFI is to replace BIOS • MBR and GPT are both disk partitioning scheme – GPT is to supersede MBR • GRUB and Bootmgr are both boot loaders – GRUB is for linux/unix – Bootmgr is for Windows (since Windows 7) • Don’t worry; we will introduce each in detail
CIS 4360 – Secure Computer Systems 11 What is System Boot?
• Boot is short for bootstrap • System boot is to initialize a computer system typically until an OS is loaded and initialized • Two big steps: – The computer firmware initializes the h/w and locates, loads, and executes the boot loader – The boot loader loads and executes the OS
CIS 4360 – Secure Computer Systems 12 Why is System Boot complicated?
• Little intelligence upon power on – There is no concept of file system; only raw disk read in the beginning • Many h/w and s/w standards are involved – From BIOS to UEFI – From MBR to GPT – “Blind” boot, trusted boot, secure boot • Multiple OSes may be installed on one disk – Dual boot, triple boot, … – Chain loading: a boot loader calls another boot loader; e.g., GRUB loads bootmgr (a windows-specific boot loader) to start Windows 10
CIS 4360 – Secure Computer Systems 13 BIOS
• BIOS: Basic Input-Output System • What does it do? – Power-on self-test (POST): test and initialize h/w, such as RAM, interrupts, keyboard, etc. – Execute extension ROM: some disk controllers and video cards include their own BIOS extension – Locate, load and execute the boot loader from a bootable device
CIS 4360 – Secure Computer Systems 14 Questions to be explored
• How does BIOS recognize a bootable device? • How does BIOS locate the boot loader? • Hint: BIOS is dumb and it solves the problems above by following some hard-wired flags and addresses • Let’s continue…
CIS 4360 – Secure Computer Systems 15 MBR (Master Boot Record)
• Sector 0 (512 bytes) on a disk: – 440 bytes: primary boot loader code – 4 bytes: disk signature; 2 bytes NULLs – 16 x 4 for partition table: so at most 4 primary partitions – 2 bytes magic: 0xAA55 indicates a valid MBR
CIS 4360 – Secure Computer Systems 16 Ac�ve Par��on: its entry in the par��on table starts with 0x80.
This par��on contains some other boot loader code, used by windows boot loader
Flag of mbr (li�le endian)CIS 4360 – Secure Computer Systems 17 BIOS-MBR
• How does BIOS recognize a bootable device? • How does BIOS locate the boot loader? • After POST, BIOS loads the first sector (512 bytes) of the current device (say HDD1->HDD2->USB; the order can be configured in BIOS) into memory • Check if the 511th and 512th bytes are 0x55 and 0xAA, respectively. – If not, go back to step 1 and try the next device, or give up if there aren't any more. – If yes, execute the boot loader code from the MBR sector, thus passing control to (hopefully) a boot loader • Who knows? It may be just some virus
CIS 4360 – Secure Computer Systems 18 Case study: Grub2 with BIOS-MBR
• Grub2 (GRand Unified Bootloader) is a popular boot loader in Linux/Unix. Its boot setting is stored in / boot/grub/grub.cfg (GRUB2) • MBR stores Stage 1 of the boot loader: boot.img • The empty space between MBR and the first partition store Stage 1.5: core.img, which contains file system drivers • The final part (stage 2) loads the config file (accessed through file names rather than raw disk read) and displays the menu of installed OSes to users
CIS 4360 – Secure Computer Systems 19 CIS 4360 – Secure Computer Systems 20 Case study: Bootmgr with BIOS-MBR
This sector is also called a Volume Boot Record (VBR) or Par��on Boot Sector
CIS 4360 – Secure Computer Systems 21 Question
Dual-boot with BIOS-MBR is awkward. E.g., a�er installing Windows on a Linux-preinstalled machine, your Linux will “disappear”. Why?
MBR code previously for GRUB is overwri�en with Window’s boot loader code, and Windows is so arrogant that it does not bother to perform chain loading (Tips: the tool EasyBCD can fix the situa�on).
More essen�al reason: MBR can store only one boot loader
CIS 4360 – Secure Computer Systems 22 If you want to install both Linux and Windows on a machine with BIOS firmware, install Windows first and then Linux
When Linux is installed on a Windows-preinstalled machine, the entry for Windows is displayed on the Grub menu, as Grub does extra work to detect windows and create an entry in Grub’s config file
CIS 4360 – Secure Computer Systems 23 How Chain Loading works
• Chain loading: one boot loader hands over the control to another boot loader. • E.g., Grub can chain load Windows’s boot loader by invoking the Windows’ boot loader code in the specified location
// in grub.config menuentry "Windows 7 BIOS MBR" { insmod part_msdos insmod ntldr insmod n�s ntldr (hd0,msdos1)/bootmgr }
CIS 4360 – Secure Computer Systems 24 Limitations of BIOS-MBR
• MBR is very limited – Support ~2TB disk only – 4 primary partitions at most (so four OSes at most) – A MBR can store only one boot loader • BIOS is very restrictive – 16-bit processor mode; 1MB memory space (little spare space to accommodate a file system driver) – Blindly executes whatever code on MBR
CIS 4360 – Secure Computer Systems 25 Say Goodbye to BIOS!
CIS 4360 – Secure Computer Systems 26 Say Hello to UEFI!
CIS 4360 – Secure Computer Systems 27 UEFI (to replace BIOS)
• UEFI: Unified Extensible Firmware Interface • Successor to BIOS • The effort to resolve the limitations of BIOS
CIS 4360 – Secure Computer Systems 28 UEFI vs. BIOS
• Disk partitioning schemes – GPT (GUID Partition Table): part of UEFI spec.; to replace MBR – MBR supports disk size 232 x 512B = 2TB, while UEFI supports much larger disks (264 x 512B = 8,000,000,000 TB) – MBR supports 4 partitions, while GPT supports 128 • Memory space – BIOS: 20-bit addressing; UEFI: 32-bit or 64-bit • Pre-OS environment – BIOS only provides raw disk access, while UEFI supports the FAT file system (so you can use file names to read files) • Booting – BIOS supports boot through boot sectors (MBR and VBR) – UEFI provides a boot partition of hundreds megabytes (and boot manager and secure boot)
CIS 4360 – Secure Computer Systems 29 EFI System Partition
• UEFI specification considers a dedicated boot partition, called EFI System Partition (ESP), which is OS independent – Hundreds of megabytes (recall that MBR has 512 bytes) – FAT file system (UEFI contains driver for the file system) • It contains – boot manager (after h/w initialization, UEFI passes control to it) – all the installed boot loaders (Recall that in BIOS-MBR only one boot loader can be stored in MBR) – necessary utilities and drivers to load OSes • The ESP partition has a unique GUID in the GPT partition table, so it can be easily located
CIS 4360 – Secure Computer Systems 30 Boot partition: EFI System Partition
CIS 4360 – Secure Computer Systems 31 EFI System Partition
CIS 4360 – Secure Computer Systems 32 What OS vendors (should) do?
• Each vendor should create a separate directory in the ESP partition, such that vendors would not step over each other – \EFI\$vendor\$bootloader.efi – E.g., \EFI\redhat\grub.efi and \EFI\Microsoft\Boot\Bootmgfw.efi • E.g., Debian installs grub-efi for its EFI bootloader, as: Architecture Path amd64 \EFI\debian\grubx64.efi I386 \EFI\debian\grubia32.efi arm64 \EFI\debian\grubaa64.efi – Each *.efi file contains code and configuration for loading the OSes by that vendor
CIS 4360 – Secure Computer Systems 33 Question
When you install Windows on a Linux-preinstalled machine with UEFI, will your Linux disappear?
No. Each vendor has its own directory in the ESP par��on that stores all the boot loader informa�on and needed files. So they will not interfere with each other
CIS 4360 – Secure Computer Systems 34 UEFI configuration variables
• UEFI config variables are stored in NVRAM • Some store information of the boot loaders in the ESP partition • The UEFI boot order config variables specify the order of invoking those boot loaders – The order can be configured very similar to the boot menu in BIOS
CIS 4360 – Secure Computer Systems 35 Normal UEFI-GPT system boot
• After h/w initialization, UEFI iterates the boot entries according to the boot order variable • Based on the information recorded in the UEFI config variable for the boot entry, UEFI executes the specified boot loader • The boot loader then loads the OS
• Some advanced UEFI boot manager application, e.g., rEFIt, rEFInd, can list all installed OSes and allow users to choose which to boot
CIS 4360 – Secure Computer Systems 36 Fallback Logic
• The following logic is used – when booting from a removable media (e.g., USB and CD) – when there are no UEFI config variables stored in the NVRAM currently, or – when there is no working boot entry by traversing the boot order variables) • For each media (CD, USB and disk), UEFI looks for an ESP partition, and if it finds one it checks for (and execute) Architecture Path amd64 \EFI\boot\bootx64.efi i386 \EFI\boot\bootia32.efi arm64 \EFI\boot\bootaa64.efi
CIS 4360 – Secure Computer Systems 37 How are UEFI config variable initialized?
• If this is a non-removable media (i.e., a disk), the *.efi (e.g., bootx64.efi) mentioned in the last slide will try to initialize the UEFI config variables • It invokes fallback.efi, which then iterates over each subdir of \EFI, looking for files named BOOT.CSV, which contains the bootloader name • For each BOOT.CSV file it finds, a boot entry is created and stored in a UEFI config variable
CIS 4360 – Secure Computer Systems 38 BOOT.CSV example
• In this example, the \EFI\fedora\BOOT.CSV is found by UEFI and typically the file content is as simple as “shim.efi,Fedora,,This is the boot entry for Fedora” • Then, a boot entry that specifies the disk and the boot loader “\EFI\fedora\shim.efi” is created • Finally, the entry index is appended to the boot order config varaible
CIS 4360 – Secure Computer Systems 39 Question
When installing another OS on a computer, NEVER delete or format the exis�ng ESP par��on (unless you know what you are doing). Why?
With UEFI, all OSes share the single ESP par��on. If you delete the exis�ng ESP par��on, all the boot loaders for exis�ng OSes are gone
CIS 4360 – Secure Computer Systems 40 In Linux and Unix, the ESP par��on is mounted at /boot/efi a�er the OS is booted
Pay a�en�on to this when you par��on your disk for installing Linux and Unix
CIS 4360 – Secure Computer Systems 41 Summary
• BIOS-MBR: Generation I system boot – What BIOS and MBR are? – How does it boot the system? – How does multi-boot works? // Chain-loading • The limitations of BIOS and MBR – Disk, memory, file system, multi-booting, security, … • UEFI-GPT: Generation II system boot – What UEFI and GPT are? – How does it boot the system? – How does multi-boot works? // separate dirs in /EFI
CIS 4360 – Secure Computer Systems 42 Writing Assignments
• What are the limitations of BIOS and MBR? • How does dual-booting of Linux and Windows work in UEFI-GPT?
CIS 4360 – Secure Computer Systems 43 References
• “Booting an Operating System”, P Krzyzanowski – https://www.cs.rutgers.edu/~pxk/416/notes/02-boot.html • “Managing EFI Boot Loaders for Linux”, Rod Smith – http://www.rodsbooks.com/efi-bootloaders/ • Case Study of RedHat – UEFI: https://access.redhat.com/documentation/en-US/ Red_Hat_Enterprise_Linux/6/html/Installation_Guide/s2-grub- whatis-booting-uefi.html – BIOS: https://access.redhat.com/documentation/en-US/ Red_Hat_Enterprise_Linux/6/html/Installation_Guide/s1-grub- whatis.html#s2-grub-whatis-booting-bios • Case Study of UEFI in Debian – https://wiki.debian.org/UEFI
CIS 4360 – Secure Computer Systems 44